Survey: Organizations Enhance Internal Audit Teams as Gap Widened Between Rising Risks and Workforce Capacity

Date – 01-Aug-2024

Over half of audit committees, boards, and CFOs have tasked internal audit with additional risk-related activities in the past two years.

AuditBoard, the leading cloud-based platform for audit, risk, compliance, and ESG management, has announced the findings of its latest industry benchmark survey, detailed in the report Internal Audit’s Expanding Role: The Foundation for Connected Risk. The survey reveals that over half of audit committees, boards, and chief financial officers are increasingly relying on internal audit teams to handle additional risk-related responsibilities.

This shift in expectations comes at a time when internal audit teams are already stretched thin and struggling to provide advisory services. The report highlights a growing gap in risk coverage due to rising demands and limited capacity.

Unyielding economic, geopolitical, regulatory, and cyber risks pose serious threats. Without effective management, these risks can lead to severe consequences for enterprises, including financial and reputational damage, noncompliance penalties averaging $14 million per incident, and revenue losses from third-party risk incidents averaging $1 billion each. The most pressing issue, however, is that many organizations lack the crucial risk information needed to make informed decisions and enhance business value.

The report examines how internal audit teams are currently allocating their time and identifies potential adjustments to shift their focus toward value-added, risk-related activities. Key findings include:

Expansion of Internal Audit Responsibilities: Organizations are increasingly leveraging internal audit’s expertise to navigate today’s volatile risk landscape. Notably:

• Information Security Control Testing: This area is growing, with 82% of chief audit executives (CAEs) engaged and 44% either leading or heavily involved.
• Continuous Monitoring: Only 28% of CAEs are significantly involved in continuous monitoring of key processes, despite 60% having some level of involvement in Enterprise Risk Management (ERM), with 40% having no involvement.

Evolving Expectations: Internal audit faces shifting demands from various stakeholders:

• Increased Involvement: More than half (55%) of CAEs report that their administrative reporting managers (typically CFOs and CEOs) have requested more involvement in activities such as ERM, ESG, governance, operational initiatives, and quality assurance over the past two years.

Lack of Risk Management Maturity: Many organizations are lagging in risk management maturity:

• Integrated Risk Management (IRM): While CAEs see IRM as a key area for increased responsibility, most organizations are not mature in this area. 96% lack mature IRM programs, with 11% having no IRM strategy and 51% having no cohesive strategy despite recognizing the need. Additionally, 24% are working towards connecting audit, risk, and compliance functions without a formal strategy.

Tom O’Reilly, Field Chief Audit Executive and Connected Risk Advisor at AuditBoard, noted, “Organizations can better manage risk by adopting a connected risk strategy—a modern, cross-functional approach to managing risk across the enterprise. Embracing connected risk is a natural evolution for internal audit, given their extensive governance, risk, and compliance expertise and deep cross-functional relationships.”